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Abstract 



This document discloses an autonomous auditing tool J£™£ trUSted 
third-plr* go-between for -PO-tion^ 

external auditors, and governmental *^ securely analyze 

uses a combination of static forms J n ^^^Kr eviden Jof errors or 
patterns in internal managerial and r ™»^^„ priatefy tailored and 
wrongdoing. The results of its analysis can then be appropna y 
distributed to various external audiences. 

Background of the Invention 

recent—, corporate — 
corporations' internal dealings ^to**^^*^*, revealed publicly, since the 
in general. It is a necessary cond. .on that not a 1 da ^ , s abiUty t0 compe te. On the other 

revelation of proprietary informat.on ™^*£%*^J<^ mismanagement to occur 

trip" energy trades. 



S2faJU*l ""-^CSKSHS hoS ating sales o„ tracts 

Q^ommunicions - May ha,e Mated revenue for 2000 and 200 . .tough capacity swaps and 

Wo'rldCom - May have used questionable methods to book sales, classify assets and account for debts ,t 

XEROX-Sed $ .0 million without admitting or denying wrongdoing for inflating revenue and profits 
from 1997 to 2000 by including future payments on existing contracts. 

Although human accountants or auditors have traditionally been used to ^^J^^ 
the illicit - there is clearly room for improvement m the performance of today s auditors. 

Brief l^alSSLSSw **- to overcome some of these problem, Based 
SDl BUS is ™ a"" 6 ' & Dala | mere hange, Herz et ah), SDI- 

BUsTJ'tSl SS2S*S K^SS. 1 !!--*-. between a compan/s intarn,, affairs 
rdlSad atrna, partes no, necessarily - W-^~?KS2 » 

its transmissions on the permission levels assigned to each party, 
more accurately detect corporate wrong-doings. 



Brief Description of the Drawings 

FIG. 1 - Suggested SDI-BUS Structure. 
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FIG. 2 - Shows an example of how a Bayesian net can be used to construct the 
probabilistic model at the core of SDI_BUS. 



Detailed Description 

SDI-BUS is based on the previously disclosed SD1 architecture (again, provide reference with 
perhaps Z Option), which defines the framework for »J~^™X&^ 
analysis svstem There are, of course, a multitude of ways in which SDI-BUS can be conngurea, ror 
%X weSuss one of many potential configurations. See Figure 1 for an overv.ew. 

Inputs 

mmmm^wm 

J 2 What oK sorts of information would we want to take directly from the company itself? - 

syftem ) Note that a secure transfer protocol is utilized to minimize the nsk of information leaks. 

sni Rl IS also accesses a wide range of external information; one example would be Reuters' 

energy copies i, woutd be ^^£S£2£££ ESZZSS* 
„d private databases. CO-pending patent applk»tion entitled, ^^T"^^'" of 

likelihood that a particular undesirable behavior had already occurred. 

Analysis 

Once these various strands of data are gathered within SDI-BUS, a variety of analytical methods 
are applied ^^LS^n static scripts or templates, active statistical 

approaches already gi ven by the literature), and occasional human mtervent.on. See Sect.on 3 for more 
details. 



company's data it is very likely that inefficiencies or missed opportunities in the company's operations will 
beTtected by SDI-BUS. It can produce a report recommending actions that the company can take to 
correct these problems and increase profits. „^: n 

* Fraud detecL: This report details areas within the company's operations that have exceeded a certain 
probabilistic threshold of suspicion and have been flagged for follow-up by an expert human auditor. 

Feedback -- Adjustments 

In the preferred implementation of the system, an independent human auditor is allowed to 
monitor the reports being generated by SDI-BUS. In addition to having the ability to oversee the 
generation of reports, this auditor will also have the ability to tune vanous settings wrth.n the system. 
These alterations include: 

* The auditor can alter the probability thresholds used in fraud detection (a company that sells scuba gear 
might have a very valid reason to do business in the Cayman Islands - an auditor might therefore greatly 
increase the threshold needed to trigger the "hiding profits offshore" flag). 

* The auditor can write new templates specific to the target company and tailored to the auditor's particular 
focus These templates can then be uploaded to SDI-BUS, which will include the new templates in its 
ongoing analysis. An additional layer of protection will prohibit SDI-BUS from returning any Proprietary 
infolation to the auditor, although it may be the case that non-specific data measures, such as randomized 
aggregates, are allowed. 

* The auditor can upload modules incorporating entirely new statistical or analytical methods. Depending 
on the complexity and on the variables requested, these modules may need to be security checked before 
they are allowed into the SDI-BUS system. 

Dissemination of Results 

When reports and analyses are complete, SDI-BUS disseminates its results on a need-to-know 
basis to a collection of interested third parties. Thus, while an internal company auditor might be given a 
report that includes proprietary information regarding certain sales figures in the Cayman Islands outs.de 
shareholders wouldn't be given access to this inside information, and might rather be told simply that the 
company's current fraud-detection index is "high". 

Interested parties receiving final reports include the following: 

* Company Auditors . 

* Government Agencies: Securities and Exchange Commission, Dept. of Justice, etc. 

* Investors/Shareholders 
3. Analytical Methods 

SDI-BUS is capable of using a wide variety of analytical methods, which may be used in different 
combinations or settings depending on the target corporation and on the analytical objectives. These 
methods include, but are not limited to, the following: 

Templates/Rule Base 

The simplest type of analysis is done by templates, or fixed rules, that are stored internally in SDI- 
BUS's rule base. These generally embody basic rules of accounting and corporate governance, and can be 
quickly fitted to data as it is loaded in. 

For example, one could set up a rule to track executives previously suspected of setting up 
offshore shells: 



5 



xi = binary variable flagging previous conviction by DOJ for executive i. (0-no conviction, 

l=conviction). 

yi = number of trips to Caribbean in last year. 

zi = number of phone calls to Caribbean in last year. 

IF (xi) AMD { yi > 3 and zi > 5 > THEN OFFSHORE_FRAUD_FLAGi=l ELSE 
OFFSHORE_FRAUD_FLAGi=0. 

In operation, SDI-BUS will run a battery of such simple rules against the target data. 
Statistical Analysis 

There are of course, many more sophisticated methods of analysis, such as the various well- 
understood and publicly documented statistical techniques popularly used for data min.ng. In the preferred 
implementation, one of the analytical approaches used by SDI-BUS will involve Bayesian networks, which 
allow a complex web of inputs to successively influence the probability distribution of a final outcome. In 
this case, it uses the inputs to calculate a final probability distribution for the following event: .s fraud 
occurring? 

The simplest types of Bayesian nets are directed acyclic graphs that encode conditional probabilistic 
relationships between various event nodes. Realistically, it is likely that the complex graphs used for this 
application will include cyclical elements (in other words, more than one semipath may exist between any 
two nodes); this makes the calculation of conditional probabilities more complex, but still within the realm 
of solvability (using known state-of-the-art statistical methods). 

The network can be constructed by human domain experts who understand the many factors 
involved in business and accounting fraud, as well as their causal linkages. These factors include those 
things that would impact the probability of fraud occurring (for example, recruitment of chief executives 
with histories of unsound financial dealings), as well as those things whose probabilities of being observed 
are impacted in turn by the occurrence of a fraud (for example, a sudden drop in stock price or sudden 
increase in insider selling). 

Because the central event of interest - the occurrence of fraud - may not be directly observable in its early 
stages, our calculation of its probability will be heavily conditioned on those factors which are directly 
observable. 

Once the network connections are established, the conditional probabilities for the event nodes 
must be defined. Although it is likely that most of these will again be constructed by human experts there 
are well-known machine learning methods that would allow the probabilities to be calculated directly from 
a training data set. Certainly, once the system has been in operation for some time and enough data has 
been collected, the overall accuracy of the network could be improved by training it on the new data. 

Figure 2 shows an example of how a Bayesian net can be used to construct the probabilistic model 
at the core of SDI-BUS Note that this is only one embodiment, and that different structures and/or 
different variables may be built into it. For this example, we indicate observable events as boxes and 
unobservable events as ovals. Note that the direction of the arrows indicates which events have an impact 
on the probabilities of the events that follow. The oval representing the fraud event lies in the middle of 
this network: some events feed into it, and it feeds into other events. The information contained in both the 
"parents" and the "children" of the event will be used in the calculation of its conditional probability. 

At the top of Figure 2 is a row of observable events that may occur before a fraud actually takes 
place - the target company may begin to employ individuals knowledgeable about methods for committing 
fraud (it is likely that even if such individuals do not have criminal records, they will be tied through 
newspaper accounts and press releases to unsavory past fraud events, companies associated with fraud or 
other individuals who ended up facing charges for fraud). The company might also start open.ng offshore 
branches or accounts. Finally, there may be preliminary announcements of concern by the Department ot 
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Justice or the SEC regarding the company's activities. 

If and when fraud occurs, it will probably not be observable from the outside. However, the 
consequences of the fraud may be observable: for example, the company's announced financial results may 
be spectacularly better than those of other companies in the same industry. 

Although fraud may not be observable to the outside world, it will definitely be observable to 
company insiders; if they are not happy with the event, they may panic and take defensive actions 
Although the insider panic will not be directly observable to the outside world, it will likely cause certain 
observable events. These might include an increase in insider stock sales, an unexpected drop in share 
price, incidents of document shredding, and a wave of resignations by ethical executives who wish to 
distance themselves from the company. 

Once the weights within the Bayesian network are configured (possibly by human experts using 
past events as guides), the network itself is ready to be used as a fraud monitor. At regular intervals 
(depending on the company, anything from daily to monthly) values for observable events are calculated 
and fed into the network, which then computes a distribution for the probabilistic event that a fraud has 
occurred. 

Human Expert 

Finally there is a provision for human experts to be included in the loop (with proper security 
provisions) when especially sensitive or complex issues arrive. Most often they will be called in to verily 
or dismiss potential fraud when SQI-BUS's automated analysis flags an irregularity. 



ScamstetFraud Types 

l.Pump and Dump schemes - Bogus or over-hyped company stock is over-hyped 
over the Internet by the scamster so stock value becomes artificially inflated. He 
then dumps his stock to these new over-zealous investors. 
2 Claiming to have invested money into non-profits but actually investing it into 
foreign companies for profit in order to both conceal profits and avoid taxes for 
these profits without detection. 

3.Within a company, employees making requisitions of purchase orders and 
authorizing delivery of equipment with the intention of stealing it. 

4 Particularly in financial services industry, providing business or personal loans to 
executives, colleagues, employees or families thereof (including "political favors ) 
without assurances or even intent to act in good faith in repaying the loan (e.g., 
allowing the company to go bankrupt). SOA prohibits employees or executives 
from receiving such loans. 

5 Compellng ( illicitly incenting) a competitor's manager not to drive the other 
companies out of business (which is its job to do so, e.g., a new grocery, convenience 
or pharmacy chain store whose primary mission is to drive out of business the 
smaller longer established private competitors). 

6 Insider trading - under SOA insider trading schemes (e.g., ImClone, Waksal and 
Martha Stewart) would have to give detailed disclosure of timing and quantity of 
stocks sold as well as significant sales by other people (e.g., Waksal's family and 
friends), and this data inherently would have to be disclosed as linked to particular 
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harmful events to the stock value (i. e., failure to receive SOA approval of the 
company's primary drug for cancer). 

7.Moving funds into international divisions for purposes of performing fraud in 
these less regulated markets - SOA requires the same regulations for foreign 
divisions of American companies as those regulating its domestic divisions. 
8 As in the Enron scandal, over inflating earnings, underestimating debts, such that 
company performance appears better than it is and so executives can cash in on 
additional stock options (and presumably then cash out of their equity before the 
true status of the company affects the actual stock price). This is one example of an 
executive's opposing interest to achieve short-term gains, or perceived short term 
gains at the expense of the company's long term valuation (this is more of an 
incentivization optimization problem regarding stock option incentive formulas in 
response to performance criteria). 

SOA strongly places additional responsibility and burden on upper level 
management even for fraud and misdeeds at the lower levels. It also is designed to 
incentivize whistleblowers in order to form a more distributed economic structure 
for self-policing. 

Auditing Concepts 

l.Fraud is typically associated with the movement of funds from legitimate to 
illegitimate uses in actuality and on reports. Clever fraudsters are able to fuge 
numbers such that the uses and destinations of such funds appear legitimate. In 
certain cases the actual numbers may be greater than or less than the reported 
numbers for income receivables, payables, expenditures, etc., and the nature of the 
allocations/uses and sources of these funds. If there is sophisticated tampering of 
these records by a clever fraudster, the continual use of electronic work flow 
applications in which templates can be automatically or manually filled could be 
used to statistically flag anomalous behavior such as the above. The actual internal 
fund transfers between the organization and/or financial institution could 
conceivably provide the process for which these automated templates could be filled 
thus enabling better tracking of monetary inflow/outflow and money handling 
within and without the organization. A certain degree of the auditing process is 
based upon providing explanations of financial data including anything from the 
reasons for certain financial activities, expenses, receivables, loans, forecasts over 
actuals, missing data records, etc. It may be possible to custom construct certain 
templates in which natural language is parsed, the templates are automatically filled 
and natural language processing techniques are used in order to identify certain 
particular anomalous patterns by which a notification alert may be triggered and, 
for example, additional human and/or automatically generated questions could 
additionally be presented to the party(s). A decision tree or other similar 
hierarchical querying scheme could be used to immediately query all relevant 
individuals associated with any internal conditions or events which are even slightly 
anomalous , inconsistent and/or potentially suggestive of hiding or concealing of 
certain financial information or events which may correlate with that information. 
An associative web of data, people and events may also be collected and aggregated 



8 



over time in order for link analysis to occur, for example, tracking of an event to 
certain individuals and/or web of associates or family members associated with 
these individuals. This can be useful both for purposes of collecting factual evidence 
from multiple sources about and even on individuals or for performing statistical 
analysis from the plethora of personal available data as to the statistical probability 
the likelihood of such individual(s) to actively engage or associate themselves with 
suspicious activities. 

The system would be more effective in identifying the probable likelihood of 
certain suspicious activities or events by monitoring a more complete collection of 
the sources and channels by which an individual in a company who is motivated to 
commit fraud would necessarily have to utilize. For example, SD1 Scam could 
opportunely monitor the business activities, transactions and investments of a 
given individual within a company (and ideally those of his/her family and/or 
friends/associates), particularly if certain statistical derived suspicions have already 
been raised. 

Describe automated regulatory compliance and autonomously provided 
attestation using rules based on automatic classification of behavior, some template 
based language inputs and a rule base characterizing the various regulatory 
requirements. 

Describe how to limit a plethora of SO A compliance criteria without 
shareholders being revealed the exact nature of each of the various regulations 
complied with. 
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Overall, rules" conventions. 

j ui <r- 0 33 * revenue 
Rule A: debt , e is "triggered" 

• ia Htv is violated, the rule is tngg 
If this inequality is v 

9, Rules created by human experts rf 
involve strict reia may be V ery a beheve tn at, to 

that combinations ot car 

^-le m a y a PP e,asr ul£SJ e, m on* 
Rule C: 0.223.ear,en.orjsjed + 0.99 



If such a rule is triggered (.ha, is, if .he i„e q ua,i.y is violated) .he company may have 
reason .0 believe tha. a given driver is an tnsurance r.sk. 

Combination of Rules 

The combination of rules that is used for a V^^^M^ 
depend entirely on the goals of that P^-^^KSTX coded 
compliance with industry slandards may select ^X^'^^eounting data, 
regulations, and these rules mtght <^^^^^Jt a wide range of 

emails and personal files, 
user's threshold will be some larger positive number. 

- «*- ™ te are re - 

estimated on updated data. 

an organization change over time. 

combined arithmetically. 
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